© Cyber Defense Research Group, Fraunhofer FKIE

simpliFiRE.IDAscope An IDA Pro extension

for

easier

(malware) reverse

engineering

Daniel Plohmann, Alexander Hanelplohmann@cs.uni-bonn.de

alexander.hanel@googlemail.com

© Cyber Defense Research Group, Fraunhofer FKIE

2

Some

words

about

myself

Personal background

PhD

student

and researcher

at University of Bonn & Fraunhofer FKIE

Research focus: Reverse Engineering

Work

focus: malware

analysis

and botnet

mitigation

Projects

Author

of 2011 ENISA Botnet

Study

[1]

PyBox

[2]

Userland-hooking

framework

(with

Felix Leder)

AntiRE

[3]

An Executable

Collection

of Anti-Reversing

Techniques

[1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence[2] http://code.google.com/p/pyboxed

[3] https://bitbucket.org/fkie_cd_dare/simplifire.antire

© Cyber Defense Research Group, Fraunhofer FKIE

3

Current StatesimpliFiRE.IDAscope

© Cyber Defense Research Group, Fraunhofer FKIE

4

IDAscope

… in a nutshell

An IDA Pro extension

for

easier

(malware) reverse

engineering.

Motivated by the current workflow of working with IDA Pro.

Repeat: „Identify

relevant parts

of the

binary; tear

apart; document

findings.“

Common tasks:

Malware RE usually

starts

with

the

corner

pieces: strings, API calls, signature

hits, …

API calls

are

a good indicator

for

function

semantics.

Reoccurring

need

for

looking

up things

in MSDN.

Switch

windows

time and time again…

C&C communication

schemes

are

of high interest!

Find and understand

cryptographic

routines

used.

Idea:

Provide

automation/integration

of „helpers“

that

assist

with

regularly

performed

tasks.

1

2

3

© Cyber Defense Research Group, Fraunhofer FKIE

5

IDAscope

Overview

Functionality

organized

in tabs

Main window

can

be

dragged

around

like

every

other

IDA view.

© Cyber Defense Research Group, Fraunhofer FKIE

6

IDAscope: Features

1) Function Inspection

Tagging

of functions

Based

on API calls

APIs

can

be

specified

via config

Renaming

with

tags possible

Example

DownloadToFile

consists

of API calls

tagged

with

File and Network

© Cyber Defense Research Group, Fraunhofer FKIE

7

IDAscope: Features

1) Function Inspection

Coloring

of basic

blocks

Based

on API semantics

Colors

can

be

adjusted

More

an experiment

:)

Sysinfo/Registry

Network

File Access

Memory

Access

Execution

Crypto

Multi

© Cyber Defense Research Group, Fraunhofer FKIE

8

IDAscope: Features

1) Function Inspection

Code to function

conversion

Function

prologues

get

handled

first

Then

remaining

undefined

areas

Opens

these

code

sections

to further

analysis

© Cyber Defense Research Group, Fraunhofer FKIE

9

IDAscope: Features

1) Function Inspection

Automatic renaming

of wrapper

functions

Credits

go

to Branko Spasojevic

(author

of Optimice) for

providing

the

code!

© Cyber Defense Research Group, Fraunhofer FKIE

10

IDAscope: Features

2) WinAPI

Browsing

Seamless

integration

of MSDN in IDA Pro

accessible

via shortcut

on highlighted

elements

Now

also with

online lookup!

But

not

multi-threaded

/ no backgrounded

lookups

yet

© Cyber Defense Research Group, Fraunhofer FKIE

11

IDAscope: Features

3) Crypto Identification

Identification

of cryptographic

/ compression

routines

Based

on ratio

of arithmetic

/ logic

instructions

to all instructions

in a basic

block

Approach described

in „Dispatcher: Enabling

Active

Botnet

Infiltration using

Automatic Protocol

Reverse-

Engineering“

by

Juan Caballero

et al.

© Cyber Defense Research Group, Fraunhofer FKIE

12

IDAscope: Features

3) Crypto Identification

Identification

of cryptographic

/ compression

routines

Based

on ratio

of arithmetic

/ logic

instructions

to all instructions

in a basic

block

Approach described

in „Dispatcher: Enabling

Active

Botnet

Infiltration using

Automatic Protocol

Reverse-

Engineering“

by

Juan Caballero

et al.

Example: Citadel

string

decryption.

1) 3 AritlogInstructions

/ 9 Instructions

= 33% rating2) 9 instructions3) 0 calls4) Is

a looped

basic

block

=> Matches above

parameters

© Cyber Defense Research Group, Fraunhofer FKIE

13

Future PlanssimpliFiRE.IDAscope

© Cyber Defense Research Group, Fraunhofer FKIE

14

IDAscope: Future Plans

4) Threads / Function Relationship

Threads

and function

call

chains

are

a good indicator

of functionality

A „big

picture“

would

be

very

helpful.

My opinion: We

need

something

better

than

this

(WinGraph) or

step

by

step

navigation

via xrefs.

Same function

scope

as IDA graph

(IDAPython

API has limited

graph

support), not

much

better:..

© Cyber Defense Research Group, Fraunhofer FKIE

15

IDAscope: Future Plans

4) Threads / Function Relationship

Threads

and function

call

chains

are

a good indicator

of functionality

Same displayed

as tree, generated

with

Alex‘

script

[4]

CreateThread

Call 0x40bc39StartAddress

(lpStartAddr)sub_40B868

sub_40EFD1memset_0sub_412CCD

SomeCryptoDecryptBaseConfig

memcpy_0CustomRc4

strlen_0MultiByteToWideChar_0

* Call MultiByteToWideCharPathCombineW_0

* Call PathCombineWsub_42E8FC

* Call RegOpenKeyExWsub_42E87F

* Call RegQueryValueExWalloc

* Call HeapAlloc* Call RegQueryValueExW

HeapFree_0* Call HeapFree

* Call RegCloseKeysub_42B5EA

sub_42AB6Fsub_42AABC

sub_42AC65sub_41115Asub_41117C

sub_411268

sub_41278Fsub_412757

sub_42EC57sub_429426

strlen_1* Call StringFromGUID2

* Call CreateMutexWsub_42DCD7

* Call WaitForSingleObject* Call CloseHandle

sub_4110E9sub_412C33

* Call PathRenameExtensionW* Call PathRemoveFileSpecWsub_4303C9

* Call PathSkipRootW* Call GetFileAttributesW* Call CreateDirectoryW

sub_42DC0Csub_42B9CE

* Call GetCurrentThread* Call OpenThreadToken* Call OpenProcessToken* Call LookupPrivilegeValueW* Call AdjustTokenPrivileges* Call GetLastError* Call CloseHandle

* Call ConvertStringSecurityDescriptorToSecurityDescriptorW* Call GetSecurityDescriptorSacl* Call SetNamedSecurityInfoW* Call LocalFree

* Call GetFileAttributesW

?

Use

a TreeWidget

for

rendering?

[4] http://hooked-on-mnemonics.blogspot.com/2012/08/ida-thread-analysis-sript.html

© Cyber Defense Research Group, Fraunhofer FKIE

16

IDAscope

Conclusion

Start using

it! :)

Repository

at

http://idascope.pnx.tf

(points

to: https://bitbucket.org/daniel_plohmann/simplifire.idascope)

I report

about

updates

in my

blog: http://blog.pnx.tf

on twitter

@push_pnx

Alex has a blog, too: http://hooked-on-mnemonics.blogspot.com

Send feedback

or

ideas

for

improvement!

idascope@pnx.tf